Clipboard Hijacked: How a Fake Proxifier Install Silently Drains Crypto Wallets Through a Multi-Stage Attack Chain

Executive Summary

A sophisticated threat campaign uncovered by Kaspersky Securelist has brought renewed attention to a deceptively simple but devastatingly effective class of financial malware. Threat actors are distributing a trojanized version of Proxifier — a legitimate and widely trusted network proxy utility — that conceals a multi-stage infection chain ultimately delivering ClipBanker, a clipboard-hijacking malware designed to intercept and silently replace cryptocurrency wallet addresses at the moment of transaction. The result is a near-invisible theft mechanism that requires no phishing credential harvesting, no ransomware detonation, and no loud network exfiltration: just a patient, persistent redirect of funds directly into attacker-controlled wallets. Security teams responsible for endpoints in crypto-adjacent industries, fintech environments, and any organization whose personnel transact in digital assets should treat this research as an immediate operational concern.

What distinguishes this campaign from commodity clipper malware is the operational sophistication of its delivery mechanism. Rather than relying on simple drive-by downloads or obvious phishing lures, the attackers have engineered a prolonged, multi-stage infection chain that leverages the inherent trust users place in recognized software brands. The choice of Proxifier as a lure is deliberate — it is a tool commonly used by developers, security researchers, and power users who are precisely the demographic most likely to hold meaningful cryptocurrency assets and conduct high-value transactions. This is not opportunistic malware spray; it is a targeted, calculated operation. Independent security researchers, development teams, and IT administrators who routinely source utilities outside of official channels represent the highest-risk population.

Technical Analysis

According to the original research published by Kaspersky Securelist, the attack begins with the distribution of a trojanized installer that closely mimics the legitimate Proxifier setup package. The installer appears functional and may even deploy a working copy of Proxifier to maintain the illusion of legitimacy, dramatically reducing the likelihood of immediate victim suspicion. This technique — deploying genuine software alongside malicious payloads — is a hallmark of high-confidence threat actors who prioritize persistence over speed.

The infection chain progresses through multiple discrete stages following initial execution. Early stages handle environmental reconnaissance and persistence establishment, writing components to disk locations and registry keys associated with legitimate software behavior. Intermediate stages are responsible for unpacking or decrypting subsequent payloads, often using in-memory execution techniques to avoid writing obviously malicious binaries to disk. This staged unpacking approach is specifically engineered to evade signature-based detection, as each individual file on disk may appear benign in isolation.

The terminal payload, ClipBanker, establishes persistent clipboard monitoring via Windows API hooks on the OpenClipboard, GetClipboardData, and SetClipboardData function family. The malware continuously monitors clipboard contents for strings matching the regular expression patterns of cryptocurrency wallet addresses across multiple blockchain ecosystems — including but not limited to Bitcoin (BTC), Ethereum (ETH), and likely additional major chains. Upon detecting a valid wallet address string, ClipBanker instantly and silently overwrites the clipboard content with an attacker-controlled wallet address. The substitution occurs in milliseconds, well below the threshold of human perception. A victim who copies a recipient wallet address and pastes it into a transaction form will unknowingly paste the attacker's address instead, directing the full transaction value to the threat actor.

The malware demonstrates awareness of operational security, with components potentially checking for sandbox or analysis environments before fully deploying. The use of a trusted software lure combined with a drawn-out infection chain — what Kaspersky's researchers aptly describe as a "marathon" approach — suggests the operators are willing to accept a slower infection rate in exchange for significantly higher stealth and persistence longevity.

Impact Assessment

Affected systems are Windows endpoints where the trojanized installer has been executed. There is no evidence at time of analysis of macOS or Linux variants, though the underlying clipper technique is platform-agnostic and analogous threats exist across operating systems. The financial impact per successful infection can range from negligible to catastrophic depending entirely on the transaction values conducted by the victim. Unlike banking trojans that require account credential harvesting and subsequent fraudulent login activity, ClipBanker's attack surface is the transaction itself — meaning a single high-value crypto transfer can result in complete, irreversible loss of the transferred funds.

Organizations in the DeFi sector, cryptocurrency exchanges, blockchain development firms, and any enterprise treasury function holding digital assets face direct financial exposure. Beyond direct theft, organizations face reputational risk if internal compromise leads to client fund losses. The use of a network utility like Proxifier as the lure also suggests potential targeting of IT and DevOps personnel with elevated system access, raising the possibility that ClipBanker deployment could be a secondary objective alongside broader network reconnaissance.

CypherByte Perspective

This campaign is a sharp illustration of a threat trend that CypherByte has been tracking with increasing concern: the commoditization of precision financial targeting. ClipBanker-style malware represents a maturation beyond the noisy, high-detection-risk tactics of ransomware and credential stealers. It is quiet, patient, and financially efficient. The operational decision to wrap this payload in a multi-stage delivery chain rather than a simple dropper reflects an adversary ecosystem that is professionalizing — borrowing techniques from APT tradecraft and applying them to financially motivated campaigns.

The broader implication for the security industry is a need to fundamentally reassess how we communicate risk around software sourcing. The social contract users have with recognizable software brands is a durable attack surface. As long as threat actors can convincingly mimic trusted installers, supply chain vigilance must extend beyond enterprise software to the personal utilities and productivity tools that technically sophisticated users routinely deploy. Security awareness training must evolve to address the reality that malware can look exactly like the tool you intended to install — and can behave normally for days before its payload activates.

Indicators and Detection

Defenders should prioritize the following detection strategies based on the Kaspersky Securelist research findings and known ClipBanker behavioral patterns:

Behavioral Indicators: Monitor for processes making repeated or persistent calls to clipboard-related Windows APIs (OpenClipboard, SetClipboardData) outside of expected application contexts. Legitimate applications do not continuously poll or modify clipboard contents. EDR solutions with API telemetry should be tuned to alert on anomalous clipboard access patterns, particularly from processes spawned by installer executables or residing in non-standard paths such as %APPDATA%, %TEMP%, or user-writable %LOCALAPPDATA% subdirectories.

File and Process Indicators: Look for installer processes that spawn unexpected child processes, particularly those involving scripting engines (powershell.exe, wscript.exe, mshta.exe) or that write executables to non-standard locations. Multi-stage droppers frequently use scheduled tasks or Run registry keys for persistence — baseline auditing of these locations will surface anomalous entries. Hash and YARA signatures specific to this campaign are detailed in the original Kaspersky Securelist publication, which CypherByte recommends ingesting directly into SIEM and threat intelligence platforms.

Network Indicators: While ClipBanker's primary mechanism is local clipboard manipulation, multi-stage droppers in this chain may beacon to command-and-control infrastructure for payload retrieval or operator notification. DNS and network traffic analysis for connections to newly registered domains or infrastructure with low reputation scores from processes associated with the installer lineage should be flagged for review.

Recommendations

1. Enforce application allowlisting and software sourcing policy. All software installations — including developer utilities and network tools — should be sourced exclusively from verified official vendor channels. Implement Group Policy or endpoint management controls that alert or block execution of unsigned or untrusted installers. Communicate explicitly to technical staff that no utility, regardless of familiarity, is exempt from sourcing policy.

2. Deploy clipboard monitoring detection rules in your EDR. Configure your endpoint detection and response platform to generate high-priority alerts for any non-whitelisted process that accesses or modifies clipboard data at high frequency. Password managers should be explicitly whitelisted to reduce false positives. Any alert from this rule set should trigger an immediate forensic triage workflow.

3. Implement transaction verification hygiene as a mandatory control for crypto operations. Any team or individual conducting cryptocurrency transactions should be trained and procedurally required to manually verify the full wallet address character by character against the intended recipient through an out-of-band channel before confirming any transaction. This single procedural control completely neutralizes ClipBanker's attack mechanism regardless of whether the endpoint is compromised.

4. Ingest Kaspersky Securelist IOCs into your threat intelligence platform immediately. The full indicator set published by Kaspersky Securelist should be operationalized in your SIEM, EDR, and network security tooling without delay. This includes file hashes, domain indicators, and any YARA rules provided in the original research.

5. Conduct retrospective log analysis. Security teams should run retrospective hunts against 90 days of endpoint and network telemetry using the published IOCs to identify any potential historical compromise that may have preceded this public disclosure. Given the malware's stealthy nature, silent infections may already be present in environments that process cryptocurrency transactions regularly.

This analysis is based on original threat research published by Kaspersky Securelist. Full technical details, indicators of compromise, and YARA signatures are available in the source publication at the link credited above. CypherByte recommends all security teams review the primary source material directly.